Laravel: Available Hashing Methods

Even though Laravel only provides a Illuminate\Contracts\Hashing\Hasher implementation for the bcrypt function, there are many more hashing functions that are available to developers. The following functions are available through the use of PHP's crypt function:

Function	Notes	Secure
CRYPT_STD_DES	Based on Standard DES, requires a two character salt from the alphabet ./0-9A-Za-z. See alphabet table below for more details.	Insecure
CRYPT_EXT_DES	Based on the Extended DES, allows for variable iterations (or rounds) ranging from 1 to 16 777 215, inclusive. Rounds are expressed as an integer in base64. Also allows for a salt four bytes long, following the iteration count. Salts must be derived from the alphabet ./0-9A-Za-z. See alphabet table below for more details.	Insecure
CRYPT_MD5	MD5 hashing. Allows for a twelve character salt, starting with the string $1$. Because of the required characters in the salt, we are left with only eight usable characters for our salt.	Insecure
CRYPT_BLOWFISH	Blowfish hashing. Salt begins with $2y$, a cost parameter, and another $. Salts end with twenty-two characters from the alphabet ./0-9A-Za-z. See table below for more details. Default hashing function used by Laravel.	Secure
CRYPT_SHA256	A SHA-256 hash. Salts are sixteen characters and prefixed by the string $5$. Salts can be begin with rounds=<N>$, where <N> is the value is the number of rounds (with the rounds ranging from 1, to 999 999 999, inclusive). The default number of rounds is 5 000.	Secure
CRYPT_SHA512	A SHA-512 hash. Salts are sixteen characters and prefixed by the string $6$. Salts can be begin with rounds=<N>$, where <N> is the value is the number of rounds (with the rounds ranging from 1, to 999 999 999, inclusive[^shaRoundsOutOfBounds]). The default number of rounds is 5 000.	Secure

The insecure/secure designation is determined based on whether or not the function is a general purpose function, and whether or not is an option for PHP's password_hash function.

The SHA-2 family of hashing functions have had no publicly disclosed successful attacks against all rounds of the function. NIST is currently working on the SHA-3 family of hashing functions.

[^shaRoundsOutOfBounds]: Regarding CRYPT_SHA256 and CRYPT_SHA512, a value supplied for the number of rounds that falls out of the range 1 to 999 999 999, inclusive, will cause the supplied value to be truncated to the nearest limit.

The following table contains the characters from the alphabet ./0-9A-Za-z, which is used by many of the hashing functions in PHP. It has been arranged so that the characters appear in the order if you were to create a function to convert an integer to base64. It is also important to note that the table includes spaces to improve readability and are not part of the alphabet.

Alphabet Class	Characters
Symbols	. /
Numeric	0 1 2 3 4 5 6 7 8 9
Lowercase Alpha	a b c d e f g h i j k l m n o p q r s t u v w x y z
Uppercase Alpha	A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

The following sections will create implementations of Illuminate\Contracts\Hashing\Hasher for the CRYPT_STD_DES, CRYPT_EXT_DES, CRYPT_MD5, CRYPT_SHA256 and CRYPT_SHA512 functions. For an implementation of the CRYPT_BLOWFISH function, see Laravel's default Illuminate\Hashing\BcryptHasher implementation. Afterwards, we will create a new Hasher class that will allow us to interact with all the various hashing functions and a new service provider class to register everything with the service container.

The following implementations will be created in some directory that can be accessed with the namespace Laravel\Artisan\Hashing. This namespace and directory is completely arbitrary and can be changed to match the structure of any project so long as the namespace references are updated accordingly.

∎